GDPR Policy

1. INTRODUCTION

This Policy on the processing and protection of personal data (hereinafter referred to as “Policy”) defines the procedure for processing and protection of personal data in SC Romair Consulting SRL, a limited liability company organized and operating in accordance with Romanian legislation, having its registered office in Romania, Bucharest, Str. Aviator Sănătescu no. 4, sector 1, registered at the Bucharest Trade Register under no. J40 / 9663/1997, CUI RO10182058 (hereinafter referred to as “SC Romair Consulting S.R.L.” or “Operator”), and establishes the procedures aimed at preventing and highlighting any violations of the applicable law regarding personal data. This Policy has been developed in accordance with the legislation of Romania and the European Union, in particular with the following documents:

• General Regulation on Data Protection (RGPD) no. 679, on the protection of individuals with regard to the processing of personal data and on the free movement of such data and repealing Directive no. 95/46 / EC, adopted by the European Parliament and the European Council on 27 April 2016;

• Any other national / local law on the protection of personal data that applies in Romania.

2. PURPOSE OF THE DATA PROTECTION POLICY

The main goals of the Policemen are:

• Establish a procedure, as well as the terms and conditions regarding the processing of personal data, including procedures aimed at preventing the violation of laws and procedures for performing internal control in accordance with the applicable legislation on personal data;

• Presentation of the staff of SC Romair Consulting SRL responsible for the processing of personal data of the Policy of the applicable law regarding personal data;

• Establishing responsibilities for staff who process personal data in case of non-compliance with the applicable law on personal data.

• Respecting the right of the subjects to be informed on the way in which SC Romair Consulting SRL processes their personal data.

Thus, the purpose of this Policy is to explain which personal data are subject to processing, why they are processed and the future management of such data. Given that the personal information belongs to each user, all steps will be taken and all measures will be taken to store the data safely and process it carefully. The information will not be provided to third parties without fulfilling the prior obligation to inform the persons whose data may be provided, regardless of the reason for which it is provided.

3. SCOPE AND MODIFICATION OF THE DATA PROTECTION POLICY

This data protection policy applies to SC Romair Consulting SRL and the company’s employees. The data protection policy extends to all processing of personal data. This data protection policy can be modified only under the direct coordination of the Data Protection Coordinator (DPC) within SC Romair Consulting SRL, any change being validated by the Data Protection Officer (DPO) designated at the level of the Operator / SC Romair Consulting . The changes will be reported immediately at group level within the Operator / SC Romair Consulting SRL, using the process of modification and dissemination of policies.

The latest version of the data protection policy can be accessed with information on data privacy on the website of SC Romair Consulting SRL: www.romair.ro

4. BASIC DEFINITIONS

For the purposes of this Policy, the following definitions are used:

“Data Protection Officer (DPO)” means a person who is responsible for monitoring the application of the DPO and other applicable laws on the protection of data subjects for the processing of personal data and who performs the functions assigned to him by this Policy and other applicable legislation; provides consultancy to the management of SC Romair Consulting SRL regarding the protection of personal data.

“Data Protection Coordinator (DPC)” is the local contact person within SC Romair Consulting SRL. It may perform checks and familiarize the Operator’s employees with the provisions and content of data protection policies.

“Data Protection Officer (DPO)” – a person appointed at the level of the Operator, independent in terms of professional orders and carries out his activity to comply with the legislation in force on data protection and is responsible for the data protection policy and supervises its observance.

“Personal data” means any information relating to an identified or identifiable natural person (“data subject”); an identifiable natural person is a person who can be identified, directly or indirectly, in particular by reference to an identifying element, such as a name, an identification number, location data, an online identifier, or one or more many specific elements, specific to the physical, physiological, genetic, mental, economic, cultural or social identity of that person;

“Processing” means any operation or set of operations performed on personal data or personal data sets, with or without the use of automated means, such as the collection, recording, organization, structuring, storage, adaptation or modification, extracting, consulting, using, disclosing by transmission, dissemination or otherwise making available, aligning or combining, restricting, deleting or destroying;

“Restriction of processing” means the marking of stored personal data in order to limit their future processing;

“Profiling” means any form of automatic processing of personal data which consists in the use of personal data to assess certain personal aspects relating to an individual, in particular to analyze or predict aspects of performance at work. , economic situation, health, personal preferences, interests, reliability, behavior, location of the individual or his travels;

“Operator” means the natural or legal person, public authority, agency or other body which, alone or in conjunction with others, establishes the purposes and means of the processing of personal data. For the purposes of this Policy, the operator means SC Romair Consulting SRL;

“Person empowered by the controller” means the natural or legal person, public authority, agency or other body which processes personal data on behalf of the controller;

“Recipient” means the natural or legal person, public authority, agency or other body to whom personal data are disclosed, whether or not it is a third party;

“Third party” means a natural or legal person, public authority, agency or body other than the data subject, the controller, the controller and the persons who, under the direct authority of the controller or controller, are authorized to process data with personal character;

“Consent” of the data subject means any manifestation of the free, specific, informed and unambiguous will of the data subject by which he accepts, by an unequivocal statement or action, that the personal data concerning him be processed;

“Violation of the security of personal data” means a breach of security that leads, accidentally or illegally, to the destruction, loss, alteration or unauthorized disclosure of personal data transmitted, stored or otherwise processed, or to access unauthorized to them;

“Health data” means personal data relating to the physical or mental health of a natural person, including the provision of healthcare services, which disclose information about his or her state of health;

“Cross-border processing” means either the processing of personal data which takes place in the context of the activities of the premises of several Member States of an operator or of a person authorized by the controller in the Union, if the controller or controller is established in at least two member states; or the processing of personal data which takes place in the context of the activities of a single establishment of an operator or of a person authorized by the controller in the territory of the Union but which significantly affects or is likely to significantly affect member states.

5. PRINCIPLES OF PERSONAL DATA PROCESSING

a. Correctness and legality

SC Romair Consulting SRL protects the individual rights of individuals (“data subject”) in the processing of personal data, personal data being collected and processed legally and correctly.

“Legality” – involves identifying the legal basis before processing personal data. These are often referred to as “processing conditions”, for example, consent.

“Correctness” – in order for the data processing to be correct, the data controller must make certain information available to the data subjects. This applies regardless of whether the personal data were obtained directly from the data subjects or from other sources.

b. Restrictions on a specific purpose (“purpose limitations”)

Personal data is processed only for the purpose defined before the start of data collection. Subsequent changes to the scope are only possible on an exceptional basis, to a limited extent, requiring a sound substantiation, with the approval of the DPO and the Data Protection Coordinator (DPC).

c. Transparency

The data subject shall be informed of the manner in which his or her data are processed. In general, personal data are collected directly from the person concerned. When data is collected, the data subject must be aware of or informed about:

> Data Operator Identity,

> Purpose of data processing,

> Third parties or categories of third parties to whom the data may be transmitted.

d. Reducing data processing and the economy of data collection (“minimizing data”);

Prior to the processing of personal data, it must be determined whether and to what extent the processing of personal data is necessary to achieve the purpose for which it is carried out. Where the purpose so permits and where the costs involved are proportionate to the purpose pursued, anonymous or statistical data are used. Personal data is not collected in advance and stored for potential future purposes, unless required or permitted by applicable law.

e. Deletion

Personal data that is no longer needed after the expiration of periods related to legal or business processes is deleted. If indications are identified regarding the existence of interests that need to be protected or related to the historical importance of these data in individual cases, it is possible that SC Romair Consulting SRL will keep the data until the interests that deserve to be protected have been legally clarified. or the corporate archive has evaluated the data to determine whether it should be kept for historical / archival purposes. When the deletion of the data may have an impact on the computer systems of SC Romair Consulting SRL, the data will be irreversibly anonymized, so that there are no clues that could lead to the identification of the data subject.

f. Factual accuracy; data update (“accuracy”)

Personal data must be accurate, complete and, if necessary, updated. SC Romair Consulting SRL takes appropriate measures to ensure that erroneous or incomplete data is deleted, corrected, completed or updated.

g. Confidentiality and data security (“integrity and confidentiality”).

Personal data are subject to legal obligations of confidentiality. They must be treated as confidential by every employee of SC Romair Consulting SRL and adequate organizational and technical measures are provided to prevent unauthorized access, illegal processing or distribution, as well as accidental loss, modification or destruction.

h. The principle of liability according to GDPR

The GDPR includes provisions that promote accountability and governance. They complement the transparency requirements of the GDPR. The principle of liability in Article 5 (2) of the GDPR requires the Operator to demonstrate that it respects the principles and explicitly specifies that this is the responsibility of the Operator.

SC Romair Consulting SRL will demonstrate compliance with data protection principles by implementing data protection policies, compliance with codes of conduct, implementing technical and organizational measures, and adopting techniques such as data protection by design, DPIAs, infringement notification procedure and incident response plans.

4. THE BASIS OF DATA PROCESSING

The collection, processing and use of personal data is permitted only on the basis of the need to carry out the company’s activities. Thus, the following categories of data can be collected, processed and used:

a. Data about customers and partners

a.1.Data processing for the execution of a contract

The personal data of contacts and representatives of customers, suppliers and partners can be processed to establish, execute and terminate a contract. Before signing the contract – during the initiation phase of the contract – personal data may be processed to prepare tenders or purchase orders or to meet other requirements from the perspective relating to the conclusion of the contract. Contacts can be contacted during the contract preparation process, using only the information they provided for contact. Any restrictions requested by those contacts must be complied with.

a.2 Consent as a basis for data processing

Where the consent of the data subject is required, the Data may be processed upon receipt of the data subject’s consent. Consent must be obtained in writing or electronically for documentation purposes. In certain circumstances, such as telephone conversations, consent may be given orally. It is mandatory to document the consent.

a.3. Data processing in accordance with the legal obligation

The processing of personal data is also permitted if the applicable law so requires, requires or permits. The type and extent of data processing must be necessary for the lawful activity of data processing and must comply with the relevant legal provisions.

a.4. Data processing in accordance with legitimate interests

Personal data may also be processed if this is necessary for a legitimate interest of SC Romair Consluting SRL. Legitimate interests are generally of a legal nature (eg collection of outstanding claims) or commercial (eg avoidance of breaches of contract). Personal data may not be processed for the purpose of a legitimate interest if, in individual cases, there is evidence that the interests of the data subject deserve protection and that they have priority. Before processing the data, it is necessary to determine whether there are interests that deserve to be protected.

a.5. Processing of sensitive data

SC Romair Consulting SRL does not process any information regarding race, nation, political opinions, religious or philosophical beliefs, privacy, privacy.

Sensitive personal data may only be processed if the law so requires or if the data subject has given his or her express consent. This data may also be processed if such processing is mandatory for the recognition, exercise or defense of the legal rights of the data subject. If within SC Romair Consulting SRL there are extremely sensitive data processing plans, the DPO and the Data Protection Coordinator (DPC) must be informed in advance.

If personal data is collected, processed and used on websites or in applications, data subjects must be informed of this by means of a confidentiality statement and, where appropriate, be provided with information on cookies. hate. The privacy statement and any information on cookies must be integrated in such a way as to be easily identifiable, directly accessible and consistently available to the data subjects.

b. Data of the employee / future employees

b.1. Data processing for the employment relationship

In employment relationships, personal data may be processed, if necessary, for the initiation, execution and termination of the employment contract. Upon initiation of an employment relationship, the personal data of the applicants will be processed. If the candidate is rejected, his / her data must be deleted in accordance with the required retention period, unless the applicant has agreed to remain on the file for a future selection process for a period of 12 months from the date of application. . Consent is also required to use the data for additional application processes or before sharing the application with other companies within the Operator.

In the existing employment relationship, the processing of data must always refer to the purpose of the employment contract, if none of the following circumstances apply to the processing of authorized data. If it is necessary to collect information about an applicant from a third party during the application procedure, the requirements of the relevant national laws must be complied with. In case of doubt, an agreement must be obtained from the data subject. There must be a legal authorization for the processing of personal data related to the employment relationship, but which was not initially part of the performance of the employment contract. These may include legal requirements, collective regulations with employee representatives, employee consent or the legitimate interest of the company.

b.2. Data processing in accordance with the legal obligation

The processing of personal data of employees is also allowed if the national legislation requires and requires this. The type and extent of data processing must be necessary for the lawful activity of data processing and must comply with the relevant legal provisions. If there is some legal flexibility, the interests of the employee who deserve to be protected must be taken into account.

b.3. Consent to data processing

Where necessary, the Employee’s Data may be processed with the consent of the person concerned. Statements of consent must be submitted voluntarily. The involuntary agreement is void. The declaration of consent must be obtained in writing or in electronic format and will be kept by the operator. In certain circumstances, consent may be given orally, in which case it must be properly documented. In the case of informed and voluntary provision of data by the relevant party, the existence of an agreement may be presumed, unless national law requires express consent.

“Consent” means that the data subject has given his or her consent to the processing of personal data concerning himself / herself. The data subject may withdraw his consent at any time by sending an email to the specified address: office@romair.ro;

b.4. Data processing based on a legitimate interest

Personal data may also be processed if it is necessary to impose a legitimate interest of SC Romair Consulting SRL. Legitimate interests are generally of a legal nature (for example: filing, enforcing or defending against legal actions) or financial (for example: valuation of companies).

Personal data may not be processed on the basis of a legitimate interest if, in individual cases, there is evidence that the employee’s interests deserve protection. Before processing the data, it must be determined whether there are interests that deserve to be protected.

Control measures that require the processing of employee data may be taken only if there is a legal obligation to do so or if there is a legitimate reason. Even if there is a legitimate reason, the proportionality of the control measure must also be examined. The justified interests of SC Romair Consulting SRL (for example: compliance with the company’s legal provisions and internal regulations) must be weighed against the employee’s interests to be protected and which may be affected by the control measure to be adopted. The legitimate interest of the company and any interests of the employee who deserve to be protected must be identified and documented before any action is taken. In addition, any additional requirements of national law must be taken into account (for example, co-decision rights for employee representatives and information rights of data subjects).

b.5. Processing of sensitive personal data

Sensitive personal data can only be processed under certain conditions. Sensitive personal data are data about racial and ethnic origin, political beliefs, religious or philosophical beliefs, membership in a union / formation and the health and sexual life of the data subject. In accordance with national law, other categories of data may be considered sensitive or the content of the data categories

      can be completed differently. Furthermore, data relating to an offense can only be processed in accordance with the special requirements of national law.

Processing must be expressly permitted or prescribed by national law. In addition, processing may be permitted if the responsible authority is required to fulfill its rights and obligations in the field of labor law. The employee may also expressly consent to the processing.

If there are plans for the processing of sensitive personal data, the Data Protection Coordinator (DPC) must be informed in advance.

b.6. Telecommunications and the internet

Telephone equipment, e-mail addresses, intranets and the internet together with internal social networks are provided by the company primarily for work-related assignments. They are a tool and a resource of the company. They can be used in the applicable legal regulations and internal company policies. In the case of authorized use for personal purposes, telecommunications secrecy laws and national telecommunications laws must be complied with, where applicable.

To ensure the confidentiality, integrity and availability of data, Romair Consulting may implement automated protection measures, including traffic analysis, to detect vectors or attack patterns and prevent them, as well as to respond to cyber security incidents.

In order to ensure a high degree of computer security and in order to resolve computer security incidents, the use of telephone equipment, e-mail addresses, intranet / internet networks and internal social networks may be registered for a temporary period. The evaluations of these data and the identification / profiling of a certain person can be done only in a concrete and justified case of suspected violations of the laws in force or of the Romair Consulting policies. Evaluations can only be carried out by the investigation departments, while ensuring compliance with the principle of proportionality.

Romair Consulting will not process personal data in the absence of any of the above reasons. The same rule also applies if the purpose of the collection, processing and use of personal data must be changed from the original purpose.

SC Romair Consulting SRL uses ‘cookies’ on its website (a ‘cookie’ is a small amount of data that often includes a unique identifier that is sent to the computer browser on the server of a website and is stored on a user’s hard drive. Allows a website to remember things like user preferences, or what is in the user’s shopping cart).

5. TRANSMISSION OF PERSONAL DATA

The transmission of personal data to the recipients outside or inside SC Romair Consulting SRL is subject to the authorization requirements for the processing of personal data in accordance with section 5 of law no. 190 of 18 July 2018 on measures to implement Regulation (EU) 2016/679 of the European Parliament and of the Council of 27 April 2016 on the protection of individuals with regard to the processing of personal data and on the free movement of such data, and repealing Directive 95/46 / EC. The beneficiary of the data must be obliged to use the data only for the defined purposes.

If the data is transmitted to a recipient outside SC Romair Consulting SRL to a third country, that country must agree to maintain a level of data protection equivalent to this data protection policy. This does not apply if the transmission is based on a legal obligation. Such a legal obligation may be based on the laws of the country of residence of the Data Transmitter. In the alternative, the laws of the country of residence of the group company may recognize the purpose of the transmission of data on the basis of the legal obligation of a third country.

If the data is transmitted by a third party to SC Romair Consulting SRL, it must be ensured that the data can be used for the desired purpose.

If personal data are transferred from a company of the Operator headquartered in the European Union / European Economic Area to a company of the Operator headquartered outside the European Economic Area (third country), the company importing the data is obliged to cooperate in any investigation made by the competent supervisory authority of the country where the exporting party has its registered office and to comply with the supervisory authority’s observations on the processing of the transmitted data. The same is true for the transmission of data by companies in groups in other countries. If they are part of an international certification system for compliance with mandatory corporate data protection rules, they must ensure cooperation with relevant audit offices and agencies. Participation in such certification schemes must be agreed with the data protection officer.

If a data subject claims that this data protection policy has been infringed by the Group company located in a third country that imports the data, the Group company based in the European Economic Area that exports the data undertakes to support the party concerned, whose data have been collected in the European Economic Area, in order to establish the facts and to assert their rights under this policy against the group company importing the data.

6. PROCESSING OF DATA REGARDING CONTRACTS

The processing of data on its behalf means that a provider is committed to processing personal data without taking responsibility for the affiliated business process. In these cases, an agreement on data processing on its behalf must be concluded with external suppliers and Romair Consulting. The customer retains full responsibility for the correct performance of the data processing. The provider may process personal data only according to the customer’s instructions. When issuing the order, the department placing the order must ensure that the following requirements are met:

a) The supplier must be chosen on the basis of his ability to cover the necessary technical and organizational protection measures.

b) The order must be sent in writing. Instructions on data processing and customer and supplier responsibilities must be documented.

c) The contractual standards on data protection provided by the data protection officer must be taken into account.

d) Before starting the data processing, the customer must have confidence that the provider will comply with its obligations. A provider may document compliance with data security requirements, in particular by

presentation of an appropriate certification. Depending on the risk of data processing, reviews should be repeated regularly throughout the contract.

e) In the case of cross-border processing of contract data, the relevant national requirements for the disclosure of personal data abroad must be met. In particular, personal data in the European Economic Area may be processed in a third country only if the provider can prove that he has a data protection standard equivalent to this data protection policy. The appropriate tools can be:

i. Agreement on EU standard contract terms for the processing of contract data in third countries with the supplier and any subcontractors.

ii. Participation of the provider in an EU accredited certification system to ensure a sufficient level of data protection.

iii. Recognition of mandatory corporate rules of the provider to create an adequate level of data protection by the data protection supervisors.

7. THE RIGHTS OF THE PERSON CONCERNED

The data subject whose personal data are processed by SC Romair Consulting SRL has the following rights:

• The right to be informed – to obtain from SC Romair Consulting SRL the following information:

i. the identity and contact details of SC Romair Consulting SRL, of the representatives and of the data protection officer;

ii. the purposes and legal basis of the processing of personal data, the legitimate interests of SC Romair Consulting SRL;

iii. categories of personal data;

iv. recipients of personal data, including recipients from third countries or international organizations (if any) and reference to the appropriate safeguards and means;

v. the period of storage of personal data and the criteria used to determine that period, provided that SC Romair Consulting SRL keeps and processes personal data as long as the laws and legal regulations require it. The processing of personal data ceases immediately if there is no reason for such processing;

you. the source from which the personal data come (if the personal data were not obtained from the data subject);

vii.if the provision of personal data is a legal or contractual requirement, or a requirement necessary to conclude a contract, and whether the data subject is obliged to provide personal data and

viii. possible consequences of failure to provide this data by the data subject.

• The right of access to personal data – to obtain from SC Romair Consulting SRL confirmation that personal data are processed or the right to receive a copy of any record containing his personal data;

• The right to rectification – to obtain from SC Romair Consulting SRL without undue delay the rectification of inaccurate personal data about him / her, the completion of incomplete personal data, including by providing an additional statement;

• The right to delete data (“the right to be forgotten”) – to obtain from SC Romair Consulting SRL the deletion of personal data without undue delay (if personal data are no longer necessary to fulfill the purposes for which they were collected; the data subject withdraws his consent, personal data have been processed illegally, etc.);

• The right to restrict processing if personal data are inaccurate; the processing is illegal and the data subject requests the restriction of the use of personal data instead of their deletion; personal data are no longer necessary for the purpose of processing, but they are required for the establishment, exercise or defense of a right in court; the data subject has objected to the processing for the period of time when it is verified whether the legitimate rights of the controller prevail over those of the data subject;

• The right to data portability – to receive personal data in a structured, commonly used and automatically readable format and has the right to transmit this personal data to another operator without obstacles from SC Romair Consulting SRL (if the processing is based on consent or a contract, and the processing is performed by automatic means);

• The right to object at any time to the processing of personal data (including the creation of profiles based on those provisions and personal data have been processed for direct marketing purposes);

• The right to withdraw consent at any time, without affecting the legality of the processing based on consent, before its withdrawal. Thus, the data subject understands and agrees that, in case of withdrawal, the purpose of processing personal data cannot be reached;

• The right to lodge a complaint with a supervisory authority, the Office of the Commissioner for the Protection of Personal Data, if the data subject decides that his or her rights are being violated;

• The right to an effective remedy against a supervisory authority, SC Romair Consulting SRL or another processor;

• The right to compensation from SC Romair Consulting SRL or from another processor for the damage suffered.

8. CONFIDENTIALITY OF PROCESSING

Personal data is considered confidential information and will be treated as such. Any unauthorized collection, processing or use of this data by employees is prohibited. The processing of personal data is confidential. This will be performed only by the persons acting under the authority of SC Romair Consulting SRL and only on the basis of its instructions.

Any data processing performed by an employee, which has not been authorized to be carried out as part of his legitimate duties, is considered unauthorized. The “need to know” principle applies.

Employees may have access to personal information depending on the suitability of this access to the types of data and the purpose for which they were used. This is based on the careful breakdown and separation of the attributions of the employees of SC Romair Consulting SRL and implies the implementation of the roles and responsibilities for each employee.

Employees are prohibited from using personal data for private or commercial purposes, disclosing it to unauthorized persons or making it available in any other way. Hierarchical superiors inform their employees at the beginning of the employment relationship about the obligation to protect data secrecy. In case of unauthorized use of personal data, employees may be sanctioned in accordance with applicable law and regulations in force within SC Romair Consulting SRL.

The obligation to maintain the confidentiality of personal data remains in force even after the end of the employment period, the sanctions applicable in case of breach of the obligation of confidentiality being those provided by the legal framework in force.

9. PROCESSING SAFETY

Personal data is protected against unauthorized access and against unlawful processing or disclosure, as well as accidental loss, alteration or destruction. This applies whether the data is processed electronically, on paper or by other means. Prior to the introduction of new data processing methods, in particular new information systems, technical and organizational measures for the protection of personal data are defined and implemented. These measures must be based on the state of the art, the risks of processing and the need to protect data (determined by the information classification process).

In particular, the responsible organizational structure may consult with the Information Security Officer and the Data Protection Officer. Technical and organizational measures for the protection of personal data are part of the management of corporate information security and are continuously adapted to technical developments and organizational changes.

Access to personal data is provided only to those employees of SC Romair Consulting SRL who need such personal data to perform their tasks related to any of the purposes of the processing mentioned above (including the human resources department, the Legal department, Financial, IT, Administrative department). Any access to personal data for other employees who do not have access rights in accordance with this Policy is prohibited.

The employees of SC Romair Consulting SRL who have access to personal data have the right to process only those data they need to fulfill their specific work responsibilities related to any of the processing purposes mentioned above. The documents containing personal data are stored in the structural departments of SC Romair Consulting SRL whose employees have access to personal data related to the performance of their official duties and are responsible for the interaction with the relevant data of the data subject. A person who processes personal data on behalf of SC Romainr Consulting SRL respects the principles and rules of personal data processing established by this Policy. If SC Romair Consulting SRL authorizes another person with the processing of personal data, SC Romair Consulting SRL is responsible to the person concerned for the processing of personal data for the acts or omissions of that person. A person who processes personal data on behalf of SC Romair Consulting SRL is responsible for SC Romair Consulting SRL.

All personal data must be treated with the highest security and must be kept: – in a locked room with the key with controlled access; and / or

– in a locked drawer or cupboard; and / or

– if they are computerized, the password is protected according to the requirements of the access control policy; and / or

– stored in (removable) computer media which are encrypted in accordance with the applicable standards in the field;

10. DATA PROTECTION CONTROL

Compliance with data protection policy and applicable data protection laws is regularly verified through data protection audits as well as other controls. The performance of these controls is the responsibility of the Data Protection Officer, the Data Protection Coordinators and other units of the Audit Operator or the external auditors employed. The results of the data protection checks shall be reported to the data protection officer. The management of SC Romair Consulting SRL is informed about the primary results as part of the reporting tasks of the person responsible for personal data protection. Upon request, the results of the data protection controls shall be made available to the data protection authority. The data protection authority may carry out its own checks on compliance with the regulations of this policy, in accordance with national law.

11. DATA RETENTION AND DISPOSAL

SC Romair Consulting SRL will not keep Personal Data in a form that allows the identification of data subjects for a longer period than necessary, in connection with the purposes for which the data were initially collected.

SC Romair Consulting SRL may store the data for longer periods according to the applicable mandatory prescription terms and with the implementation of adequate technical and organizational measures to protect the rights and freedoms of the data subjects. Personal data must be securely deleted in accordance with the sixth principle of the GDPR – processed in an appropriate way to maintain security, while protecting the “rights and freedoms” of data subjects. Any deletion of data will be performed in accordance with the secure deletion procedure.

12. DATA PROTECTION INCIDENTS

All employees are obliged to immediately inform their superior or the Data Protection Coordinator (DPC) of breaches of this data protection policy or other regulations on personal data protection (data protection incidents), regardless of whether they are infringement of the confidentiality, integrity or availability of data. The head of the organizational structure is obliged to immediately inform the Data Protection Coordinator (DPC) about the data protection incidents. In cases of:

– Improper transmission of personal data to third parties,

– Inadequate access to personal data or

– Loss, destruction or alteration of personal data,

the head of the organizational structure concerned shall, as a matter of urgency, draw up the notification reports in accordance with the rules laid down for the Management of Information Security Incidents, so that urgent measures can be taken to limit the damage to holders of personal data and to comply with reporting and notification obligations. incidents to the supervisory authority.

13. RESPONSIBILITIES AND SANCTIONS

The management of SC Romair Consulting SRL as well as their employees and agents are responsible for data processing in their area of ​​responsibility. Therefore, they are required to ensure that the legal requirements for data protection and those contained in the data protection policy (eg national reporting obligations) are met. Governing bodies have a responsibility to ensure that organizational, human and technical resources are in place to ensure that any data processing is carried out in accordance with data protection. Compliance with these requirements is the responsibility of leaders of organizational structures.

The Data Protection Coordinator (DPC) at the level of SC Romair Consulting SRL is immediately informed about the controls performed by the supervisory authorities regarding the data protection. He, in turn, will inform the Data Protection Officer (DPO) appointed at the level of SC Romair Consulting SRL. The Data Protection Coordinator (DPC) is the local contact person within SC Romair Consulting SRL. It can perform checks and familiarize Romair Consulting employees with the provisions and content of data protection policies. The departments responsible for business processes and projects inform in a timely manner the Data Protection Coordinator (DPC) about new personal data processing. For data processing plans that may present special risks to the individual rights of data subjects, the Data Protection Coordinator (DPC) shall be informed before the start of processing. This necessarily applies to sensitive personal data. Managers ensure that their employees are sufficiently trained in data protection. Improper processing of personal data or other breaches of data protection laws may lead to claims for damages. Violations for which individual employees are responsible may lead to sanctions under labor law.

14. DATA PROTECTION OFFICER (DPO)

The Data Protection Officer (DPO) appointed at the level of SC Romair Consulting SRL, being independent from the point of view of professional orders, carries out his activity for the observance of the legislation in force regarding data protection. He is responsible for the data protection policy and oversees its compliance. The Data Protection Officer has a direct reporting line to the Board of Directors of Romair Consulting within which it carries out its activity. The Data Protection Officer (DPC) within Romair Consulting, as the local representative, informs without delay the Data Protection Officer (DPO) of Romair Consulting about any data protection risk. Any data subject may approach the Data Protection Coordinator (DPC) at any time to raise concerns, to

ask questions, request information or make complaints about data protection or data security issues. If requested, concerns and complaints will be treated confidentially.

If the data coordinator in question cannot resolve a complaint or remedy the breach of data protection policy, the Data Protection Officer (DPO) shall be consulted immediately. Decisions taken by the Data Protection Officer (DPO) to remedy data protection breaches must be supported by the management of the company concerned. Surveillance authorities’ inquiries are always reported to the data protection officer.

The contact details of data protection officers and staff are as follows:

Romair Consulting, Data Protection Officer (DPO).

E-mail: office@romair.ro;

              dpo@romair.ro.

15. Date of entry into force. Change.

This Policy enters into force on May 15, 2021. SC Romair Consulting SRL may change or modify this policy periodically. This can happen, for example, due to changes in the law, or if SC Romair Consulting SRL changes its business or practices.

ROMAIR CONSULTINGHeadquarters
4 Mr. Ștefan Sănătescu Str.,
District 1, Bucharest
GET IN TOUCHRomair on Social Media
ROMAIR CONSULTINGHeadquarters
4 Mr. Ștefan Sănătescu Str.,
District 1, Bucharest
OUR LOCATIONSWhere to find us?
GET IN TOUCHRomair on Social Media